Ten (+1) reasons to treat network security like home security

Its a good week at TechRepublic for security articles.
In the light of a number of threads this last month in the various forums I’m invovled with I found this article particularly interesting.

The real problem with the ROI debate is that it is about convincing management that spending money on InfoSec protection is worth while. The “B-school mentality” of management is that everything can be reduced to numbers, and many people ‘speak’ that language and have troubles with anything not reduced to numbers. I hope they compartmentalise and and their home life s not “by numbers”. (Imagine justifying the cost effectiveness of peanut butter sandwiches in the kids lunchbox!)

But a lot of InfoSec is too abstract for people.
In my presentations I’ve often given the example of the 1950s office: typewriters, ribbons, carbon paper, hanging file cabinets, copies, and mapped them to modern technology like PC terminals, keystroke recorders, hard drives and file file servers, and thumb drives, and shown that the same principles apply to protecting the information whatever the technology.

So I found this a very useful article. People can easily relate to the physical, to their own home situation. We have many centuries legacy of houses, thieves and door locks and once people can map from something they know to to abstract their understanding is easier, and so our justification of InfoSec measures is also easier.

It seems that people usually have logical thinking when they discuss physical security. This is not the case when they discuss logical security.

There are hundreds of companies that have invested heavily into intrusion detection systems but they have a total lack of incident response or policies associated with what to do when there is an incident detected.

When you ask them if they would buy an home alarm system that does not have a siren and does not alert the police they always respond “No way”, however they do this on a day to day basis with their logical security.

There are many other very good follow-ups to this article and I recommend reading though them.